Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 501 to Pix 501 VPN, Cisco VPN Client 1

Status
Not open for further replies.
shortomiga

shortomiga

IS-IT--Management
Mar 8, 2006
3
GB
I have a problem will a basic VPN proposal.
We have a PIX501 in the main office and a PIX501 in a second office. We would like the two Pix units to establish a VPN to allow users to see the server in the main office. At the same time the users at both sites need to be able to access the internet while the VPN is connected. We also need the ability for users on Cisco VPN client software to access the server in the main office.

All sites have 2meg broadband

Is this possible with the hardware configuration explained above ?
 
Sort by date Sort by votes
It's nice to hear that.

We have a consultancy company looking at this and they really are struggling, so I think we will end up doing it ourselves.

The pix in the main office is on a fixed IP, but the others are dynamic.
What is starting point with the pix config, do you have any example of the config for pix to pix vpn or should I post our current config which will only allow cisco vpn client in which also doesn't work properly, because if a second client connects then the first gets booted off.
 
Upvote 0 Downvote
Here's a basic config which can be applied to both sites (asuming you're not using private addresses):
SITE1
Code: 
access-list SITE1-to-SITE2 permit ip [IP address and mask from SITE1] [IP address and mask from SITE2]
This line forces all traffic originating from the inside of site1 with site2 as destination into the VPN tunnel.
Code: 
sysopt connection permit-ipsec
crypto ipsec transform-set [b]ESP-3DES-MD5[/b] esp-3des esp-md5-hmac
crypto map SITE1 10 ipsec-isakmp 
crypto map SITE1 10 match address SITE1-to-SITE2 
crypto map SITE1 10 set peer [remote site outside address]
crypto map SITE1 10 set transform-set [b]ESP-3DES-MD5[/b]
crypto map SITE1 interface outside

isakmp enable outside 
isakmp key [pre-share key (just make something up)] address [remote site outside address] netmask 255.255.255.255
isakmp policy 10 authentication pre-share 
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2 
isakmp policy 10 lifetime 86400
This will set up and initiate the VPN tunnel at site1. Modify the config to fit on the PIX at Site2 and you should have it up and running. This config will only encrypt traffic between sites. All other traffic will pass on to the outside interface and through to the internet.

Hope this helps.

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T
 
Upvote 0 Downvote
Thanks for the pointers,

I will pass these on to see if the consultancy can resolve our issues

Regards

S
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
365
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top